Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A cryptographic device and a cryptographic method of generating
pseudo-random numbers. Initial data is divided into a plurality of words
on b bits defined in a finite body GF(2b). The words are assigned to
cells of a state table to form an initial state block. The cells of the
state table are grouped to assign a group of cells to each set of d/b
words, where d is a multiple of b strictly greater than b. And, a
succession of state blocks is iteratively generated from the initial
state block to form a final state block, so that on each iteration each
set of d/b words of a current state block is replaced by another set of
d/b words to form a next state block using a reference table including
substitution elements on d bits.

Claims:

1-10. (canceled)

11. A cryptographic method of generating pseudo-random numbers,
comprising:dividing initial data into a plurality of words on b bits
defined in a finite body GF(2.sup.b);assigning the words to cells of a
state table to form an initial state block;grouping the cells of the
state table to assign a group of cells to each set of d/b words, wherein
d is a multiple of b strictly greater than b; andgenerating a succession
of state blocks iteratively from the initial state block to form a final
state block representative of a pseudo-random number, so that on each
iteration each set of d/b words of a current state block is replaced by
another set of d/b words to form a next state block using a reference
table including substitution elements on d bits.

12. A method according to claim 11, wherein the iterative generation of
the succession of state blocks further comprises mixing the words of the
current state block in accordance with a predetermined mixing
transformation.

13. A method according to claim 12, wherein the predetermined mixing
transformation includes multiplication in the finite body GF(2b) of a
column of the current state block by a predefined matrix in the finite
body.

14. A method according to claim 11, wherein the iterative generation of
the succession of state blocks further comprises permutation of words
over at least a portion of said current state block.

15. A method according to claim 11, wherein the iterative generation of a
succession of state blocks further comprises modification of at least
part of a word situated in a predetermined cell of the state table.

16. A method according to claim 11, further comprising adding each word of
the initial state block in the finite body to a corresponding word in an
encryption key.

17. A method according to claim 11, wherein the initial data is generated
by a counter.

18. A cryptographic device for generating pseudo-random numbers,
comprising:division means for dividing initial data into a plurality of
words on b bits defined in a finite body GF(2.sup.b);assignment means for
assigning the words to cells of a state table to form an initial state
block;definition means for defining and storing a reference table
including substitution elements on d bits where d is a multiple of b
strictly greater than b;grouping means for grouping the cells of the
state table to assign a group of cells to each set of d/b words;
andgenerating means for generating a succession of state blocks
iteratively from the initial state block to form a final state block, so
that on each iteration each set of d/b words of a current state block is
replaced by another set of d/b words as a function of a reference table
to form a next state block.

19. A device according to claim 18, further comprising a counter and logic
gates.

20. An RFID device including the device according to claim 19.

Description:

TECHNICAL FIELD OF THE INVENTION

[0001]The invention relates to cryptography. To be more precise, the
invention concerns a scheme for generating pseudo-random numbers that can
be used in devices of low computation power. The technique of the
invention can be applied to implementing a low-cost pseudo-random number
generator (PRNG).

BACKGROUND OF THE INVENTION

[0002]Generally speaking, there are two approaches to designing
symmetrical cryptography algorithms.

[0003]The first approach provides a "proof of security" based on the
relationship between a method of "breaking" a code and the capacity to
solve what is generally considered to be a difficult problem.

[0004]The second and more common approach depends on precisely engineering
an electronic circuit including logic gate components to effect
encryption to the required security level. Under such circumstances,
efficacy can be quantified by the computation speed or the number of
logic gates necessary to implement the electronic circuit.

[0005]At present, following standardization (FIPS 197, NIST 2001) of
Advanced Encryption Standard (AES) cryptography algorithms, it is very
beneficial to implement such algorithms in a wide range of applications.

[0006]The AES algorithm is noteworthy for its close compliance with the
Shannon principles known in the art and with two concepts that are
important for implementing cryptography algorithms, namely "confusion"
and "diffusion". Putting it simply, confusion corresponds to the idea of
"performing difficult operations" and diffusion corresponds to the idea
of "causing the change or transformation to propagate" during a
cryptography calculation.

[0007]It is usually considered that one of the best ways to obtain a
confusion effect is to use a substitution box (S-box), and that one of
the best ways to produce a diffusion effect is to perform a certain kind
of permutation.

[0008]The input to an AES algorithm is a block of 16 bytes. Each byte is
replaced by another byte specified by an 8-bit to 8-bit S-box. These
bytes are then placed in a matrix in which each element of the matrix is
shifted cyclically to the left by a certain number of columns. A matrix
product is then computed before adding each byte to a byte corresponding
to a round key obtained by diversifying an encryption key.

[0009]Thus the security of an AES algorithm depends on interaction between
the S-box and a mixing (or diffusion) operation that permutates the bytes
and combines them structurally. Precise interaction between the bytes
produces and guarantees good resistance to differential cryptanalysis and
linear cryptanalysis attacks.

[0010]At present, attempts are being made to introduce cryptography
functions into very restricted computation environments, for example into
RFID chips.

[0011]However, algorithms for such environments are produced on a one-off
basis and use cryptography components of low capacity. It is very
difficult to produce cryptography components having quality comparable to
those used to implement an AES algorithm in an environment where
computation is highly restricted.

OBJECT AND SUMMARY OF THE INVENTION

[0012]The present invention provides a cryptographic method of generating
pseudo-random numbers that comprises the following steps:
[0013]dividing initial data into a plurality of words on b bits defined
in a finite body GF(2b); [0014]assigning said words to cells of a
state table to form an initial state block; [0015]grouping the cells of
said state table to assign a group of cells to each set of d/b words,
where d is a multiple of b strictly greater than b; and [0016]generating
a succession of state blocks iteratively from said initial state block to
form a final state block, so that on each iteration each set of d/b words
of a current state block is replaced by another set of d/b words to form
a next state block using a reference table including substitution
elements on d bits.

[0017]Using a reference table having elements of length d strictly greatly
than b introduces a diffusion effect in addition to the confusion effect,
thereby achieving high quality generation of pseudo-random numbers at
very low computation cost.

[0018]Note that an AES algorithm uses an S-box having elements of the same
size as the words of an internal state block, causing an input word on b
bits to correspond to an output word on b bits, and the words are used
one by one. Thus in such algorithms replacing words by substitution as
specified by the S-box generates a confusion effect but no diffusion
effect.

[0019]In contrast, the substitution operation as specified by the
reference table of the invention does not use the words one by one, but
in groups. Moreover, note that using a reference table or S-box having
elements larger than the internal state words goes entirely against the
customary approach of the person skilled in the art.

[0020]Thus the configuration of the invention provides both diffusion and
confusion effects whilst economizing on computation time for the same
level of security. This raises the level of security at the same time as
reducing the number of logic gates (known as the gates equivalent (GE))
used in an electronic circuit implementing this encryption method. Thus
the technique of the invention can easily be applied to implementing a
low-cost pseudo-random number generator in a very restricted environment
such as in an RFID chip or cell. Furthermore, this technique can be
applied to a variety of cryptography algorithm types: block coding,
stream coding, hashing functions, message authentication codes. Moreover,
using such reference tables with d strictly greater than b produces a
pseudo-random number generator that is more robust against cryptanalysis
attacks known as square attacks, to which AES-type algorithms are reputed
to be sensitive.

[0021]Iterative generation of said succession of state blocks
advantageously further comprises a step of mixing the words of said
current state block in accordance with a predetermined mixing
transformation.

[0022]This mixing transformation guarantees better diffusion or
propagation of the bits of a state block, thus enhancing the security of
encryption and the quality of the pseudo-random numbers generated without
overburdening the computation steps.

[0023]This predetermined mixing transformation can include multiplication
in the finite body GF(2b) of a column of said current state block by
a predefined matrix in said finite body. This matrix multiplication is a
linear transformation that is relatively simple to implement.

[0024]Iterative generation of said succession of state blocks
advantageously further comprises permutation of words over at least a
portion of said current state block.

[0025]This further increases the propagation of the bits, which improves
security.

[0026]According to one feature of the present invention, iterative
generation of a succession of state blocks further comprises modification
of at least part of a word situated in a predetermined cell of the state
table.

[0027]This reduces any symmetry that might occur on successive iterations,
which complicates any prediction attempt and consequently improves the
security of the method.

[0028]According to another feature of the present invention, the method
includes adding each word of said initial state block in the finite body
to a corresponding word in an encryption key, thereby improving security.

[0029]Thus security similar to that of an AES algorithm can be guaranteed
with an optimum number of computations.

[0030]Said initial data is advantageously generated by a counter. Thus
pseudo-random numbers can easily be generated with a minimum number of
operations.

[0031]The invention is also directed to a cryptographic device for
generating pseudo-random numbers, the device comprising: [0032]division
means for dividing initial data into a plurality of words on b bits
defined in a finite body GF (2b); [0033]assignment means for
assigning said words to cells of a state table to form an initial state
block; [0034]definition means for defining and storing a reference table
including substitution elements on d bits where d is a multiple of b
strictly greater than b; [0035]grouping means for grouping the cells of
said state table to assign a group of cells to each set of d/b words; and
[0036]generating means for generating a succession of state blocks
iteratively from said initial state block to form a final state block, so
that on each iteration each set of d/b words of a current state block is
replaced by another set of d/b words as a function of said reference
table to form a next state block.

[0037]The invention is also directed to a pseudo-random number generator
including a counter and logic gates for implementing the method briefly
described above.

[0038]The invention is further directed to an RFID device including a
generator as briefly described above.

BRIEF DESCRIPTION OF THE DRAWINGS

[0039]Other features and advantages of the invention emerge on reading the
description given below by way of non-limiting example and with reference
to the appended drawings, in which:

[0040]FIG. 1 is a chart showing the steps of a cryptography method of the
invention;

[0041]FIG. 2 illustrates one example of the action of a reference table in
the FIG. 1 method;

[0042]FIG. 3 is a very diagrammatic illustration of a device implementing
the FIG. 1 method;

[0043]FIG. 4 shows one particular embodiment of the FIG. 1 method; and

[0044]FIG. 5 is a very diagrammatic illustration of a pseudo-random
generator implementing the FIG. 4 method.

DETAILED DESCRIPTION OF EMBODIMENTS

[0045]FIG. 1 is a chart showing the steps of a cryptography method of the
invention for generating pseudo-random numbers from initial data.

[0046]The step E1 divides the message or the initial data 1 into words 3
on b bits defined in a finite body GF(2b), where b can be equal to
2, 4, 8, 16, 32, 64 or 128, for example.

[0047]In the step E2, these words 3 are assigned to cells 5 of a state
table 7 to form an initial state block. Note that only some of the words
3 can be placed in the state table 7.

[0048]In the step E3, the cells 5 from the state table 7 are grouped to
assign a group 11 of cells to each cell of d/b words, where d is a
multiple of b, with d>b. Each set of words then corresponds to an
element on d bits.

[0049]Finally, in the step E4, a succession of current state blocks 13b is
generated iteratively from the initial state block 13a to form a last
block or final state block 13c using a predefined reference or
substitution table 9 including substitution elements on d bits. Thus the
reference table 9 can replace an input element on d bits by an output
element on d bits.

[0050]On each iteration, each set of d/b words of a current state block
13b is replaced by another set of d/b words as a function of the
reference table 9 to form a next state block. Thus the final state block
13c represents the pseudo-random number generated.

[0051]Using a reference table having elements of length d>b introduces
a diffusion effect in addition to the confusion effect and achieves a
good level of security faster than a prior art substitution table (S-box)
with d=b.

[0052]FIG. 2 illustrates one example of the action of a reference table 9
on a state table 7 comprising four columns and four rows (4×4). In
this example the initial state block 13a includes words A00, . . . ,
A33 on 4 bits (i.e. b=4) and the reference table 9 includes elements
on 8 bits (i.e. d=8). In this example, an S-box reference table of an AES
algorithm can be used.

[0053]Thus the cells 5 of the state table 7 are grouped in pairs. In this
example, the cells 5 including the words A00 and A01 form a
first group 11a, those containing the words A02 and A03 form a
second group 11b, those containing the words A11 and A12 form a
third group 11c, and so on. In this example, the reference table 9
substitutes the words two by two. For example, the words A00 and
A01 are replaced by B00 and B01 and the words A02 and
A03 are replaced by B02 and B03. Another state block 13b
is therefore formed containing the words B00, . . . , B33
defined by a function "S" determined by the reference table 9 in the
following manner, where the symbol "∥" between two words
represents their concatenation:

B00∥B01=S[A00∥A01],
B02∥B03=S[A02∥A03]

B11∥B12=S[A11∥A12],
B13∥B10=S[A13∥A10]

B20∥B21=S[A20∥A21],
B22∥B23=S[A22∥A23]

B31∥B32=S[A31∥A32],
B33∥B30=S[A33∥A30]

[0054]Thus a succession of state blocks 13b can be generated iteratively
as a function of one or more reference tables 9. Note that in a
restricted (for example RFID) medium, it is preferable (although not
mandatory) to use a single reference table 9 for all operations.

[0055]To guarantee improved propagation, the words 3 of a current state
block 13b can be mixed using a predetermined transformation "MIX".

[0056]Thus on each iteration, substitution as a function of the reference
table 9 can be followed by mixing words on b bits, for example using a
technique similar to that used by the AES algorithm.

[0057]In the FIG. 2 example, this mixing operation MIX can be effected in
the following manner:

C00∥C10∥C20∥C30=MIX
[B00∥B10∥B20∥B30]

C01∥C11∥C21∥C31=MIX
[B01∥B11∥B21∥B31]

C02∥C12∥C22∥C32=MIX
[B02∥B12∥B22∥B32]

C03∥C13∥C23∥C33=MIX
[B03∥B13∥B23∥B33]

[0058]Depending on the properties of the mixing operation MIX, which
themselves depend on the matrices chosen, it can be advantageous to
permutate words 3 over at least a portion of the current state block 13b
by means of a permutation operation "Swap".

[0059]In the FIG. 2 example, this permutation Swap can be effected in the
following manner:

Swap C02∥C12 with C22∥C32

Swap C03∥C13 with C23∥C33

[0060]Furthermore, depending on the characteristics of the electronic
components used to fabricate a device implementing the method of the
invention, a simple incrementation counter or any other similar mechanism
can be used to reduce any symmetry that might occur during successive
iterations. For example, this can involve a simple modification of at
least part of a word in a predetermined cell 5 of the state table 7. For
example, it suffices to complement a few bits situated in a clearly
defined single cell 5 at a clearly defined moment of the computation.

[0061]Moreover, the method of the invention can include combination by
adding, using the exclusive-OR operation, each word 3 of the initial
state block 13a in the finite body to a corresponding word of a
predefined encryption key or to alternating sequences of secret words.

[0063]The division means 23 divide the message or the initial data into
words 3 on b bits. The assignment means 25 assign these words 3 to the
cells 5 of the state table 7 to form the initial state block 13a. The
defining means 27 define and store the reference(s) of substitution
table(s) 9 containing substitution elements on d bits, where d>b. The
grouping means 29 group the cells 5 of the state table to assign a group
11 of cells to each set of d/b words. The generation means 31 generate a
succession of state blocks 13b iteratively from the initial state block
13a to form a final state block 13c representing a pseudo-random number.

[0064]To implement a pseudo-random number generator, the initial data 1
used to form the initial state block 13a can be generated by a simple
counter.

[0065]FIG. 4 is a chart showing one particular embodiment of a 64-bit
pseudo-random number generator PRNG using ten iterations. This generator
can be used in an RFID chip containing a 128-bit secret key that can be
represented by a pair of data items (s0, s1), for example,
where s0 and s1 both have a length of 64 bits.

[0066]In each sequence of iterations defined by a 16-bit counter ci,
a 64-bit output value vi is generated by the PRNG as a function of
ci, s0 and s1 (i.e. vi=f(ci, s0, s1)
for 1≦i≦216).

[0067]The step E11 is the initial state of a sequence of iterations
(counter ci=1). In this step, the 64 bits of the initial data 1 are
arranged in a 4×4 state table 7 containing sixteen words A00,
. . . , A33 on four bits, as shown in the FIG. 2 example.

[0068]In the step E12, the first row of the state table 7 is added (using
the exclusive-OR operation) to the current value of the counter arranged
as 4×4 bits, i.e.
ci=[ci0∥ci1∥ci2∥ci3].

[0069]Three iterations "Mixtable" are carried out in the step E13. Each
iteration Mixtable includes substitutions in accordance with a function S
determined by a reference table 9 performing 8-bit permutations (for
example an AES S-box) and/or mixing operations MIX within one or more
columns and/or permutations Swap.

[0070]On a given iteration number r, the current state block 13b is
defined as follows as a function of the reference table 9:

B00∥B01=S[A00∥A01],
B02∥B03=S[A02∥A03]

B11∥B12=S[A11∥A12],
B13∥B10=S[A13∥A10]

B20∥B21=S[A20∥A21],
B22∥B23=S[A22∥A23]

B21∥B32=S[A31∥A32⊕r],
B33∥B30=S[A33∥A30]

[0071]Note that on iteration r, the value taken by r is added to a word
(for example the word A32) in order to reduce any symmetry effect
that might occur between iterations.

[0072]The mixing operation MIX performs mixing within a column using a
predetermined 4×4 matrix M in a finite body GF(24) . This
operation multiplies each column of the state table (7) by this matrix M.

[0073]The mixing operation MIX can be followed by permutation of the words
on the last two rows of the current state block 13b in the following
manner:

C02∥C12 is swapped with C22∥C32; and

C03∥C13 is swapped with C23∥C33.

[0074]The step E14 combines by means of an exclusive-OR operation the 64
bits of the current state block 13b with the 16 half-bytes (16×4
bits) of the secret key in s1.

[0075]The step E15 performs four further iterations Mixtable.

[0076]The step E16 combines by means of an exclusive-OR operation the 64
bits of the current state block 13b with the 16 half-bytes (16×4
bits) of the secret key in s0.

[0077]The step E17 performs three further iterations Mixtable.

[0078]The step E18 combines by means of an exclusive-OR operation the 64
bits of the current state block 13b with the 16 half-bytes (4 bits) of
the secret key in s1.

[0079]The step E19 gives the output value vi on the ith sequence
of iterations in the following manner:

Vi=[V00∥ . . .
∥V03∥V10∥ . . .
∥V13∥ . . . ∥V33].

[0080]The step E20 is a test to verify if the value ci of the counter
is equal to (216-1). If yes, the chip is destroyed in the step E21;
if no, ci is incremented in the step E22 before starting the above
steps again.

[0081]FIG. 5 shows very diagrammatically a pseudo-random number generator
(PRNG) 41 implementing the FIG. 4 method. This generator 41 includes a
counter 43 and logic gates 45 and can easily be implemented in an RFID
chip.

[0082]Note that one particular implementation of an AES algorithm
determined by an S-box and a random access memory (RAM) requires 395 and
2337 logic gates, respectively.

[0083]In contrast, by comparison with the AES algorithm, a PRNG 41
according to FIGS. 4 and 5 halves the number of states and does not
include iteration keys obtained by diversification. Moreover, the mixing
operations within columns require very few logic gates.

[0084]There is therefore obtained, by means of the invention, an efficient
PRNG 41 with a good security level and a reduced number of gates compared
to the AES algorithm.